CN117641347A - Registration method, authentication method, device and computer readable storage medium - Google Patents

Abstract

The application provides a registration method, an authentication method, an apparatus and a computer readable storage medium. The method acquires authentication information of a unified data management function (UDM) entity; determining a routing indication RID according to the authentication information; and sending a registration request to a key anchoring functional entity according to the RID.

Description

Registration method, authentication method, device and computer readable storage medium

The present application is a divisional application of chinese patent application with application number "202110121462.9", application date "2021, 1, 28", and entitled "method, apparatus, entity, and terminal for determining registration, authentication, and routing instructions".

Technical Field

The present application relates to wireless communication networks, and for example, to a registration, authentication, routing indication determination method, apparatus, entity and terminal.

Background

The Fifth Generation mobile communication (5G) Network architecture is composed of several Network Functions (NF). For example, the unified data management function (Unified Data Management, UDM) entity is a permanent place for storing user subscription data, located in the home network to which the user is subscribed; an authentication credential storage and processing function (Authentication Credential Repository and Processing Function, ARPF) entity stores long-term security credentials for authentication and performs key operations using the long-term security credentials as input; an authentication service function (Authentication Server Function, AUSF) entity interacts with the ARPF entity and provides authentication services; an application function (Application Function, AF) entity manages a session of a User Equipment (UE). In addition, the 5G network architecture introduces an application identity authentication and key management service (Authentication and Key Management for Applications, AKMA) key anchoring function (AKMA Anchor Function, AAnF) entity, which is located in the home network and is mainly used to generate session keys between the User Equipment (UE) and the AF entity, and maintain security context between the UE and the session keys. AKMA technology provides end-to-end security protection for 5G networks from users to applications.

On the basis of authentication of the UE by the AUSF entity, the UE may register in the AAnF entity, thereby accessing the 5G network. In this process, both the UE and the AUSF entity generate the key identifier of the AKMA anchoring key and the related AKMA anchoring key according to the routing indication (Routing Indicator, RID), but the AUSF entity cannot be guaranteed to obtain an effective RID at present, and the a-KID generated by the AUSF entity may not be consistent with the a-KID generated by the UE, in this case, the network side cannot correctly locate the AAnF entity or the UDM entity, which results in failure to determine whether the user performs an AMKA subscription or cannot find the AKMA security context of the user, authentication or registration failure to the user, and failure to obtain a secure and reliable service for the user.

Disclosure of Invention

The application provides a registration, authentication and routing indication determining method, device, entity and terminal, which are used for guaranteeing the RID to be effective and improving the reliability of user registration and access.

The embodiment of the application provides a registration method, which is applied to an AUSF entity and comprises the following steps:

acquiring authentication information of a UDM entity;

determining RID according to the authentication information;

and sending a registration request to a key anchoring functional entity according to the RID.

The embodiment of the application also provides an authentication method applied to the UDM entity, comprising the following steps:

Checking the stored RID according to an authentication request of an authentication service function AUSF entity;

and sending authentication information to the AUSF entity according to the checking result.

The embodiment of the application also provides a routing indication determining method, which is applied to the UE and comprises the following steps:

acquiring authentication information of a Unified Data Management (UDM) entity;

and determining a routing indication RID according to the authentication information.

The embodiment of the application also provides a registration device, which comprises:

the first acquisition module is used for acquiring authentication information of the UDM entity;

a first determining module configured to determine a RID according to the authentication information;

and the registration module is used for sending a registration request to the key anchoring functional entity according to the RID.

The embodiment of the application also provides an authentication device, which comprises:

a checking module configured to check the stored RID according to an authentication request of the authentication service function AUSF entity;

and the authentication module is used for sending authentication information to the AUSF entity according to the checking result.

The embodiment of the application also provides a routing indication determining device, which comprises:

the second acquisition module is used for acquiring authentication information of the unified data management function (UDM) entity;

and a second determining module configured to determine a routing indication RID according to the authentication information.

The embodiment of the application also provides a functional entity, which comprises: the system comprises a memory, a processor and a computer program stored on the memory and capable of running on the processor, wherein the processor realizes the registration method or the authentication method or the route indication determining method when executing the program.

The embodiment of the application also provides a terminal which comprises a memory, a processor and a computer program stored on the memory and capable of running on the processor, wherein the processor realizes the route indication determining method when executing the program.

The embodiment of the application also provides a computer readable storage medium, and a computer program is stored on the computer readable storage medium, and when the program is executed by a processor, the registration method or the authentication method or the route indication determining method is realized.

Drawings

FIG. 1 is a schematic diagram of an application identity authentication and key management service architecture according to an embodiment;

FIG. 2 is a flow chart of a registration method according to an embodiment;

FIG. 3 is a flow chart of key identification of an anchor key that generates a KAMA, provided by one embodiment;

FIG. 4 is a flow chart of key identification of an anchor key that generates a KAMA provided by another embodiment;

FIG. 5 is a flowchart of an authentication method according to an embodiment;

FIG. 6 is a flow chart of a method for determining routing indication according to an embodiment;

FIG. 7 is a schematic diagram of a registration device according to an embodiment;

fig. 8 is a schematic structural diagram of an authentication device according to an embodiment;

fig. 9 is a schematic structural diagram of a routing indication determining apparatus according to an embodiment;

FIG. 10 is a schematic diagram of a hardware structure of a functional entity according to an embodiment;

fig. 11 is a schematic hardware structure of a terminal according to an embodiment.

Detailed Description

The present application is described below with reference to the drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the application and not limiting thereof. It should be noted that, in the case of no conflict, the embodiments and features in the embodiments may be arbitrarily combined with each other. It should be further noted that, for convenience of description, only some, but not all of the structures related to the present application are shown in the drawings.

Fig. 1 is a schematic diagram of an application identity authentication and key management service architecture according to an embodiment. As shown in fig. 1, the UE communicates with AN Access Network (AN) or a radio Access Network (Radio Access Network, RAN) through various Network functions. The Access management function (Access Management Function, AMF) entity is used for managing the requirement of the user for accessing the network, is responsible for Non-Access Stratum (NAS) signaling management from the terminal to the network, user mobility management and the like, has a security anchor function, can interact with the AUSF entity and the UE, receives an intermediate key established for the UE authentication process, and also acquires security related data from the AUSF entity for an authentication mode based on global user identity (Universal Subscriber Identity Module, USIM). The AF entity is used for managing sessions of User Equipment (UE).

The UDM entity is configured to store user subscription data, and is located in a home network subscribed by the user. An authentication credential storage and processing function (Authentication Credential Repository and Processing Function, ARPF) entity stores long-term security credentials for authentication and performs key operations using the long-term security credentials as input. The AUSF entity interacts with the ARPF entity and provides authentication services. The AAnF entity is located in the home network and is mainly used for generating a session key between the UE and the AF entity and maintaining a security context between the UE and the session key. The AAnF entity is similar to the bootstrapping service function (Bootstrapping Server Function, BSF) in the generic bootstrapping authentication mechanism (General Bootstrapping Architecture, GBA); the interface Ua between the UE and the AF entity is similar to the Ua interface in GBA. Nnef, nausf, naanf and Namf are server-based interfaces of a network open function (Network Exposure Function, NEF) entity, an AUSF entity, an AAnF entity, and an AMF entity, respectively. The NEF entity is used for managing the external open network data, and the external application can access the internal data of the core network through the NEF.

Before the UE accesses the network, the AUSF entity and the UDM entity are requested to carry out key negotiation authentication, the AUSF entity is used for generating a session key between the UE and the AF entity and maintaining a security context between the AUSF entity and the UE, and the UDM entity is used for storing user subscription data, judging whether the user is an AKMA subscription user or not and the like. The UE, after authentication by key agreement, may generate a key identification (AKMA-Key Identification, a-KID) of the AKMA anchor key from the RID and the associated AKMA anchor key (denoted K) _AKMA ) And through AF entity A-KID and K _AKMA And sending to an AAnF entity. In this process, the AUSF entity also generates A-KID using RID and uses SUPI of the user, the generated A-KID and K _AKMA And the authentication and registration of the user are completed by the AAnF entity in response to the AUSF entity.

AAnF entity obtains A-KID and K generated by UE from AF entity _AKMA The method comprises the steps of carrying out a first treatment on the surface of the On the other hand, the A-KID and the K generated by the network are also obtained from the AUSF entity _AKMA However, the RID of the AUSF entity may be null or invalid, and may not be consistent with the RID used by the UE, which results in that the network side cannot correctly locate the AAnF entity or the UDM entity, cannot determine whether the user performs an AMKA subscription or cannot find the AKMA security context of the user, fails to authenticate or register the user, and cannot obtain a safe and reliable service.

The embodiment of the application provides a registration method which can be applied to an AUSF entity, wherein the AUSF entity can determine effective RID according to authentication information of a UDM entity and provide effective information for the AAnF entity, so that user registration is realized, and safe and reliable service is provided for users.

Fig. 2 is a flowchart of a registration method according to an embodiment, and as shown in fig. 2, the method according to the embodiment includes step 110 and step 130.

In step 110 authentication information of a unified data management function UDM entity is obtained.

In this embodiment, during authentication, the AUSF entity interacts with the UDM entity to obtain authentication information, in order to determine an effective RID. The authentication information may or may not include an RID, and may also include indication information about the RID, for indicating how the AUSF entity determines the RID.

In an embodiment, the authentication information may further include authentication credentials, such as an authentication vector (Authentication Vector, AV) of authentication and key agreement (Authentication and Key Agreement, AKA), and the authentication method may employ an authentication response (nudm_ UE Authentication _get Request) service operation.

In step 120, a route indication RID is determined from the authentication information.

The RID may consist of 1 to 4 decimal numbers. The RID in combination with the home network identifier may constitute an a-KID for passing the user's data or signaling to the AUSF entity and the UDM entity in the designated network. If RID is invalid, A-KID is invalid, and the network side cannot find the UDM entity correctly, and cannot judge whether the user makes AMKA subscription or not; if the AAnF entity cannot be found correctly, the AKMA security context of the user cannot be found.

In this embodiment, the AUSF entity may determine the RID according to authentication information of the UDM entity. The authentication information may include RID, in which case the AUSF entity may send a registration request directly to the AAnF entity according to the RID obtained from the UDM entity; the authentication information may not include RID, in which case the AUSF entity may determine a valid RID according to a preconfigured policy or by negotiating with the UE, etc.; alternatively, the authentication information may include indication information about the RID, and the AUSF entity determines the RID according to the indication information.

In an embodiment, the UDM entity may check whether it stores the RID itself, and if so, send the stored RID to the AUSF entity through authentication information; if not, no information about the RID is transmitted, or indication information about the RID may be transmitted.

In step 130, a registration request is sent to the key anchoring functional entity according to the RID.

In this embodiment, after determining the effective RID, the AUSF entity may determine the SUPI of the user, the effective A-KID and K generated from the RID _AKMA And sending the request to the AAnF entity to request the AAnF entity to finish the registration of the user.

In one embodiment, the authentication information includes a RID.

In this embodiment, the UDM entity checks whether or not it stores the RID, and if so, sends the RID to the AUSF entity through the authentication information, and the AUSF entity can directly determine the RID according to the authentication information, and generates the a-KID and the related K according to the RID _AKMA 。

In an embodiment, the authentication information does not include a RID; step 120, including:

and selecting a value of a corresponding digit from the mobile user identification number MSIN as the RID according to a pre-configuration strategy or a negotiation result with the user terminal.

In this embodiment, the UDM entity does not check the RID, and thus the RID is not included in the authentication information. The AUSF entity does not acquire RID in the authentication information, and can select specific bits from MSIN as RID to make RID effective, thereby generating effective A-KID and providing reliable basis for user registration. Wherein the number of bits selected and the position of the selected value in the MSIN (e.g., the first few bits, the last few bits, the middle few bits, or a particular few bits, etc.) may be determined according to a pre-configured policy or by negotiating with the UE, and in some embodiments, may also be determined according to indication information about the RID.

It should be noted that, the UE may also select a value of a corresponding number of bits from the MSIN as the RID and generate the a-KID accordingly, and the value selected from the MSIN by the UE is consistent with the value selected from the MSIN by the AUSF entity.

In one embodiment, selecting a value of a corresponding number of bits from the MSIN as the RID includes one of:

1) Selecting the value of the first corresponding digit in the MSIN as the RID, e.g., the RID has 4 bits in total, then the AUSF entity selects bits 1 to 4 in the MSIN as the RID;

2) Selecting the value of the corresponding number of bits from the set position in the MSIN as the RID, for example, the RID has 4 bits in total, and the AUSF entity selects the 3 rd bit to the 6 th bit in the MSIN as the RID;

3) The value of the last corresponding digit in the MSIN is selected as the RID, e.g., the RID has 4 bits in total, the AUSF entity selects the last 4 bits in the MSIN as the RID.

In one embodiment, the home location register (Home Location Register, HLR, HLR corresponds to UDM) may be determined using the first letter or digits of the MSIN, so the RID may be populated with the first letter or digits of the MSIN. If the number of bits of RID is 4 and MSIN is 0123456789, the RID may be filled with "0123" to obtain updated A-KID according to the pre-configuration policy that selects the first 4 bits. As another example, the preconfigured policy is to select bits 3 through 6 of MSIN, then "2345" is filled into RID.

In an embodiment, the authentication information includes RID indication information; the RID indication information is used to specify the value of the corresponding number of bits in the MSIN.

In this embodiment, the UDM entity does not detect the RID, and sends RID indication information to the AUSF entity through authentication information to indicate the AUSF entity to select a value with a corresponding number of bits from the MSIN as the RID.

In one embodiment, step 120 includes: and taking the value of the corresponding digit in the MSIN designated by the RID indicating information as the RID.

In this embodiment, the UDM entity specifies in the RID indication information the value of the corresponding number of digits in the MSIN, for example, the value of the corresponding number of digits in the MSIN, the forefront, the rearmost, or from the set position, as the RID.

In an embodiment, the authentication information includes a home network public key identity (Home Network Public Key Identifier, HNPKI).

In this embodiment, the UDM entity may further indicate, to the AUSF entity, a home network public key identifier through authentication information, which indicates an identifier provided by a home network for protecting the public key of the SUPI, where the home network public key identifier has a value of 0 in the case of no protection.

In an embodiment, further comprising:

step 100: an authentication request is sent to the UDM entity, the authentication request comprising a user hidden identity (Subscription Concealed Identifier, sui) or a user permanent identity (Subscription Permanent Identifier, SUPI).

In this embodiment, the AUS F entity sends an authentication request to the UDM entity, where the authentication request includes a user identifier, and the user identifier includes two types: sui or SUPI.

The SUPI may be an international mobile subscriber identity (International Mobile Subscriber Identification Number, IMSI) or a network access identity (Network Access Identifier, NAI).

The sui is composed of six parts:

SUPI Type (SUPI Type), the value can be 0-7, the value of 0 is expressed as IMSI, and the value of 1 is expressed as NAI;

a home network identifier for identifying a home network user, wherein in the case of the SUPI being an IMSI, the IMSI is composed of a mobile country code (Mobile Country Code, MCC), a mobile network code (Mobile Network Code, MNC) and MSIN;

RID, distributed by the home network operator, and together with the home network identification, indicating network signaling to be transmitted to AUSF entity and UDM entity serving user;

a protection system identifier (Protection Scheme Identifier) indicating no protection (Null-Scheme) or protection (Non-Null-Scheme);

a home network public key identifier (Home Network Public Key Identifier) which indicates an identifier provided by the home network for protecting the public key of the SUPI, and which takes a value of 0 in the absence of protection;

the protection architecture Output (Scheme Output), in the case of no protection, includes the MSIN or NAI of the IMSI, and in the case of protection, includes the values of MSIN and NAI encrypted using elliptic curves.

In one embodiment, step 130 includes:

step 131: generating a key identifier A-KID of the AKMA anchoring key according to the RID;

step 132: and sending a registration request to the key anchoring functional entity according to the A-KID.

In this embodiment, the AUSF entity generates SUPI of the user, valid A-KID and K according to RID _AKMA And sending the request to the AAnF entity to request the AAnF entity to finish the registration of the user.

In this embodiment, the anchor key K _AKMA The key identification a-KID of (c) includes two parts, a user name (Username) and a home network domain name (Realm). Wherein the Username comprises a RID and a user temporary identifier; realm contains a home network identification (Home Network Identifier).

In this embodiment, the AUSF entity uses nanf_akma_ KeyRegistration Request service operation to update the user's SUPI, the a-KID generated from RID, and K _AKMA And the response message is sent to the AUSF entity by using Naanf_AKMA_ KeyRegistration Response service operation.

In this embodiment, the key to generating A-KID is to determine a valid RID, i.e., to replace an invalid RID in the Username with a corresponding bit value in the MSIN. Corresponding bits from the MSIN may be selected to fill in the RID according to a pre-configured policy to validate the RID and thereby update the a-KID.

The selection of the value of the corresponding digit from MSIN to populate the RID is described below by way of example.

For example, IMSI is 234150123456789, i.e., mcc=234, mnc=15, msin=0123456789, rid is 000, home network public key identification is 27, unprotected suis are 0, 234, 15, 000,0,0 and 0123456789, protected suis are 0, 234, 15, 000,1, 27, < elliptic curve public key value (Elliptic Curve Cryptography Ephemeral Public Key Value) >, < encrypted 0123456789> and < medium access control layer label value (Media Access Control Tag Value) >. In this case, the RID is 000, is an invalid RID, and the number of bits is 3, and then the 4 th to 6 th bits in the MSIN are selected according to the pre-configuration policy or the negotiation result with the UE, and the RID is filled with "345" and updated to 345 in the updated A-KID.

As another example, IMSI is 234150123456789, i.e., mcc=234, mnc=15, msin=0123456789, rid is 9999, home network public key identification is 27, unprotected suis are 0, 234, 15, 9999,0,0 and 0123456789, protected suis are 0, 234, 15, 9999,1, 27, < elliptic curve public key values >, < encryption 0123456789> and < MAC tag values >. In this case, the RID is 9999, if 9999 is a default value or an invalid value, the RID is invalid, and the number of bits is 4, the first 4 bits in the MSIN can be selected according to a pre-configuration policy, the RID is filled with "0123", and the updated a-KID has the RID of 0123. If the pre-configuration policy is to select bits 3 to 6 in MSIN, "2345" is filled into RID, which is 2345, in the new A-KID.

Figure 3 is a flow chart of key identification of an anchor key that generates KAMA, provided by an embodiment. In this embodiment, the user is an AKMA subscriber, and both the UE and the AUSF entity may determine an effective RID. As shown in fig. 3, the specific flow is as follows:

A. in the authentication process, the AUSF entity sends an authentication request to the UDM entity, the authentication request containing the subscriber's sui/SUPI.

The udm entity checks if the RID of the user is stored.

C. If the RID of the user exists, the UDM entity sends the RID value to an AUSF entity through authentication information; if the RID of the user is not available, the authentication information sent by the UDM entity does not include the RID.

D. If the AUSF entity receives the RID from the UDM entity, directly determining the RID; if no RID is received, the value of the corresponding digit in the MSIN is selected as the RID for the user. The manner in which the AUSF entity selects the value in MSIN may be determined by a pre-configured policy or by negotiations with the UE at the network side. The actual choice of bits is determined by the number of RID bits.

E. A-KID is generated based on RID.

Fig. 4 is a flow chart of key identification of an anchor key that generates KAMA provided by another embodiment. As shown in fig. 4, the specific flow is as follows:

a. in the authentication process, the AUSF entity sends an authentication request to the UDM entity, the authentication request containing the subscriber's sui/SUPI.

The udm entity checks if the RID of the user is stored.

c. If there is no RID for the user, the UDM entity sends authentication information to the AUSF entity via authentication information, which includes a RID indication indicating which digits in the MSIN to select as the RID.

The udm entity sends the RID indication to the UE by sending the RID indication to the UE through the AMF entity.

And e, the UE selects the value of the corresponding bit number from the MSIN as RID according to the RID indication.

And f, the UE generates A-KID according to the RID.

The AUSF entity selects the value of the corresponding digit from MSIN as RID according to the RID indication of the UDM entity.

The AUSF entity generates A-KID from RID.

In one embodiment, the AUSF entity is based on K _AKMA Determining an application key K _AF On the basis, the network side can correctly position the AAnF entity and the UDM entity, thereby correctly starting the encryption of the application layer, realizing the registration and authentication of the user, ensuring the access safety of the user, and providing safe and reliable service for the terminal by the network side based on the AKMA architecture.

The embodiment of the application also provides an authentication method which can be applied to the UDM entity, and the UDM entity sends corresponding authentication information to the AUSF entity by checking whether the RID is stored or not, so that the AUSF entity can determine the effective RID, thereby providing effective information for the AAnF entity, realizing authentication of the user and providing safe and reliable service for the user. It should be noted that technical details not described in detail in this embodiment may be found in any of the above embodiments.

Fig. 5 is a flowchart of an authentication method according to an embodiment, and as shown in fig. 5, the method according to the embodiment includes steps 210 and 220.

In step 210, the stored route indication RID is checked against an authentication request of the authentication service function AUSF entity.

In step 220, authentication information is sent to the AUSF entity according to the checking result.

In this embodiment, the UDM entity may check whether the RID is stored in itself, and if so, send the stored RID to the AUSF entity through authentication information; if not, no information about the RID is transmitted, or indication information about the RID may be transmitted.

In an embodiment, the authentication information includes the RID.

In this embodiment, the UDM entity checks whether or not the RID is stored in itself, and if so, sends the RID to the AUSF entity through the authentication information, and the AUSF entity can directly determine the RID according to the authentication information.

In an embodiment, the authentication information does not include the RID.

In this embodiment, the UDM entity does not check the RID, and thus the RID is not included in the authentication information. The AUSF entity does not acquire the RID in the authentication information and may select a specific few bits from the MSIN as the RID.

In an embodiment, the authentication information includes a RID indication, the RID indication information specifying a value of a corresponding number of bits in the MSIN.

In this embodiment, the UDM entity does not detect the RID, and sends RID indication information to the AUSF entity through authentication information to indicate the AUSF entity to select a value with a corresponding number of bits from the MSIN as the RID.

In an embodiment, the authentication information includes a home network public key identification.

In an embodiment, further comprising:

step 200: an authentication request is received, the authentication request including a sui or SUPI.

The embodiment of the application also provides a routing indication determining method which can be applied to the UE and also can be applied to the AUSF entity, wherein the UE and/or the AUSF entity determine effective RID according to the authentication information of the UDM entity and provide effective information for the AAnF entity, thereby realizing user registration and providing safe and reliable service for the user. It should be noted that technical details not described in detail in this embodiment may be found in any of the above embodiments. For example, the UE determines the RID according to the authentication information of the UDM entity, which may be referred to as the AUSF entity determining the RID according to the authentication information of the UDM entity in any of the above embodiments.

Fig. 6 is a flowchart of a method for determining a routing indication according to an embodiment, and as shown in fig. 6, the method provided in this embodiment includes steps 310 and 320.

In step 310, obtaining authentication information of a unified data management function UDM entity;

in step 320, a route indication RID is determined from the authentication information.

In this embodiment, the UE and/or the AUSF entity obtain authentication information sent by the UDM entity. The UDM entity can check whether the RID is stored in the UDM entity or not, and if so, the stored RID is sent to the UE through authentication information; if not, no information about the RID is transmitted, or indication information about the RID may be transmitted.

In an embodiment, the authentication information includes RID indication information; the RID indication information is used to specify the value of the corresponding number of bits in the MSIN.

In this embodiment, the UE and/or the AUSF entity obtain authentication information sent by the UDM entity, where the authentication information includes an RID indication, and the UE and/or the AUSF entity may select a value of a corresponding number of bits from the MSIN as the RID according to the RID indication.

In one embodiment, step 320 includes: and taking the value of the corresponding digit in the MSIN designated by the RID indicating information as the RID.

In this embodiment, the UE and/or the AUSF entity obtain authentication information sent by the UDM entity, where the authentication information includes an RID indication, and the UE and/or the AUSF entity may use a value of a corresponding number of bits in the MSIN as the RID according to the RID indication. See in particular fig. 4.

The embodiment of the application also provides a registration device. Fig. 7 is a schematic structural diagram of a registration device according to an embodiment. As shown in fig. 7, the registration apparatus includes: a first acquisition module 410, a first determination module 420, and a registration module 430.

A first obtaining module 410 configured to obtain authentication information of a unified data management function UDM entity;

a first determining module 420 arranged to determine a RID based on the authentication information;

A registration module 430 is arranged to send a registration request to the key anchoring functional entity according to the RID.

The registration device of the embodiment provides effective information for the AAnF entity by determining RID according to the authentication information of the UDM entity, thereby realizing user registration and providing safe and reliable service for the user.

In an embodiment, the authentication information includes the RID.

In an embodiment, the authentication information does not include the RID; the first determining module 420 is configured to:

and selecting a value of a corresponding digit from the MSIN as the RID according to a pre-configuration strategy or a negotiation result with the user terminal.

In one embodiment, selecting a value of a corresponding number of bits from the MSIN as the RID includes one of:

selecting the value of the corresponding forefront digit in the MSIN as the RID;

selecting a value of a corresponding number of bits from a set position in the MSIN as the RID;

and selecting the value of the last corresponding digit in the MSIN as the RID.

In an embodiment, the authentication information includes RID indication information; the RID indication information is used to specify the value of the corresponding number of bits in the MSIN.

In an embodiment, the first determining module 420 is configured to:

And taking the value of the corresponding digit in the MSIN designated by the RID indicating information as the RID.

In an embodiment, the authentication information includes a home network public key identification.

In an embodiment, further comprising:

and the request module is used for sending an authentication request to the UDM entity, wherein the authentication request comprises a user hidden identifier SUCI or a user permanent identifier SUPI.

In one embodiment, registration module 430 includes:

the generation module is used for generating a key identifier of the AKMA anchoring key according to the RID;

and the registration unit is used for sending a registration request to the key anchoring functional entity according to the key identification.

The registration apparatus according to the present embodiment belongs to the same inventive concept as the registration method according to the above embodiment, and technical details not described in detail in the present embodiment can be seen in any of the above embodiments, and the present embodiment has the same advantages as those of performing the registration method.

The embodiment of the application also provides an authentication device. Fig. 8 is a schematic structural diagram of an authentication device according to an embodiment. As shown in fig. 8, the authentication apparatus includes: a checking module 510 and an authentication module 520.

A checking module 510 configured to check the stored RID according to an authentication request of the authentication service function AUSF entity;

And an authentication module 520 configured to send authentication information to the AUSF entity according to the checking result.

The authentication device of the embodiment sends authentication information to the AUSF entity by checking whether the RID is stored or not, so that the AUSF entity can determine the RID and provide effective information for the AAnF entity, thereby realizing authentication of the user and providing safe and reliable service for the user.

In an embodiment, the authentication information includes the RID.

In an embodiment, the authentication information does not include the RID.

In an embodiment, the authentication information includes a RID indication, the RID indication information specifying a value of a corresponding number of bits in the MSIN.

In an embodiment, the authentication information includes a home network public key identification.

In an embodiment, further comprising:

the request receiving module is configured to receive an authentication request, where the authentication request includes a user hidden identifier sui or a user permanent identifier SUPI.

The authentication device according to the present embodiment belongs to the same inventive concept as the authentication method according to the above embodiment, and technical details not described in detail in the present embodiment can be seen in any of the above embodiments, and the present embodiment has the same advantageous effects as those of performing the authentication method.

The embodiment of the application also provides a routing indication determining device. Fig. 9 is a schematic structural diagram of a routing indication determining apparatus according to an embodiment. As shown in fig. 9, the routing indication determining apparatus includes: a second acquisition module 610 and a second determination module 620.

A second obtaining module 610, configured to obtain authentication information of the UDM entity;

a second determining module 620 is arranged to determine a routing indication RID based on the authentication information.

The route indication determining device of the embodiment determines effective RID according to authentication information of the UDM entity and provides effective information for the AAnF entity, thereby realizing user registration and providing safe and reliable service for users.

In an embodiment, the authentication information includes RID indication information; the RID indication information is used to specify the value of the corresponding number of bits in the MSIN.

In an embodiment, the second determining module 620 is configured to: and taking the value of the corresponding digit in the MSIN designated by the RID indicating information as the RID.

The route indication determining device according to the present embodiment belongs to the same inventive concept as the route indication determining method according to the above embodiment, and technical details not described in detail in the present embodiment can be seen in any of the above embodiments, and the present embodiment has the same advantages as those of executing the route indication determining method.

The embodiment of the application also provides a functional entity. The functional entity in this embodiment is an AUSF entity or a UDM entity. Fig. 10 is a schematic hardware structure of a functional entity provided in an embodiment, as shown in fig. 10, where the functional entity provided in the present application includes a memory 72, a processor 71, and a computer program stored in the memory and capable of running on the processor, and when the processor 71 executes the program, the above-mentioned registration method or authentication method or route indication determining method is implemented.

The functional entity may also include a memory 72; the number of processors 71 in the functional entity may be one or more, one processor 71 being taken as an example in fig. 10; the memory 72 is used to store one or more programs; the one or more programs are executed by the one or more processors 71, such that the one or more processors 71 implement a registration method or an authentication method or a route indication determination method as described in the embodiments of the present application.

The functional entity further comprises: a communication device 73, an input device 74 and an output device 75.

The processor 71, the memory 72, the communication means 73, the input means 74 and the output means 75 of the functional entities may be connected by a bus or other means, in fig. 10 by way of example.

The input device 74 may be used to receive input numeric or character information and to generate key signal inputs related to user settings and function control of the functional entity. The output means 75 may comprise a display device such as a display screen.

The communication device 73 may include a receiver and a transmitter. The communication device 73 is provided to perform information transmission and reception communication according to the control of the processor 71.

The memory 72, which is a computer-readable storage medium, may be configured to store a software program, a computer-executable program, and modules, corresponding to the registration method according to the embodiment of the present application, for example, the first acquisition module 410, the first determination module 420, and the registration module 430 in the registration apparatus. Memory 72 may include a storage program area that may store an operating system, at least one application program required for functionality, and a storage data area; the storage data area may store data created according to the use of the functional entity, etc. In addition, memory 72 may include high-speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other non-volatile solid-state storage device. In some examples, memory 72 may further include memory remotely located relative to processor 71, which may be connected to the functional entity via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.

The embodiment of the application also provides a terminal. Fig. 11 is a schematic hardware structure of a terminal according to an embodiment, and as shown in fig. 11, the terminal provided in this application includes a memory 82, a processor 81, and a computer program stored in the memory and capable of running on the processor, where the processor 81 implements the above-mentioned routing indication determination method when executing the program.

The terminal may also include a memory 82; the number of processors 81 in the terminal may be one or more, one processor 81 being taken as an example in fig. 11; the memory 82 is used to store one or more programs; the one or more programs are executed by the one or more processors 81, causing the one or more processors 81 to implement the routing indication determination method as described in embodiments of the present application.

The terminal further comprises: a communication means 83, an input means 84 and an output means 85.

The processor 81, the memory 82, the communication means 83, the input means 84 and the output means 85 in the terminal may be connected by a bus or by other means, in fig. 11 by way of example.

The input means 84 may be used to receive input numeric or character information and to generate key signal inputs related to user settings and function control of the terminal. The output means 85 may comprise a display device such as a display screen.

The communication means 83 may comprise a receiver and a transmitter. The communication means 83 is provided for performing information transmission and reception communication in accordance with the control of the processor 81.

The memory 82, which is a computer-readable storage medium, may be configured to store a software program, a computer-executable program, and modules, as described in the embodiments of the present application, corresponding to program instructions/modules (e.g., the second acquisition module 610 and the second determination module 620 in the routing indication determination apparatus). The memory 82 may include a storage program area and a storage data area, wherein the storage program area may store an operating system, at least one application program required for a function; the storage data area may store data created according to the use of the terminal, etc. In addition, the memory 82 may include high-speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other non-volatile solid-state storage device. In some examples, the memory 82 may further include memory remotely located with respect to the processor 81, which may be connected to the terminal through a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.

The present application also provides a storage medium storing a computer program which, when executed by a processor, implements a registration method or an authentication method or a route indication determination method according to any one of the embodiments of the present application. The registration method comprises the following steps: acquiring authentication information of a UDM entity; determining RID according to the authentication information; and sending a registration request to a key anchoring functional entity according to the RID. The authentication method comprises the following steps: checking the stored RID according to an authentication request of an authentication service function AUSF entity; and sending authentication information to the AUSF entity according to the checking result. The routing indication determining method comprises the following steps: acquiring authentication information of a UDM entity; determining RID according to the authentication information; and sending a registration request to a key anchoring functional entity according to the RID.

Any combination of one or more computer readable media may be employed as the computer storage media of the embodiments herein. The computer readable medium may be a computer readable signal medium or a computer readable storage medium. The computer readable storage medium may be, for example, but not limited to: an electrical, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples (a non-exhaustive list) of the computer-readable storage medium would include the following: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a random access Memory (Random Access Memory, RAM), a Read-Only Memory (ROM), an erasable programmable Read-Only Memory (Erasable Programmable Read Only Memory, EPROM), a flash Memory, an optical fiber, a portable CD-ROM, an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. A computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.

The computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, either in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to: electromagnetic signals, optical signals, or any suitable combination of the preceding. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.

Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wire, fiber optic cable, radio Frequency (RF), and the like, or any suitable combination of the foregoing.

Computer program code for carrying out operations of the present application may be written in one or more programming languages, including an object oriented programming language such as Java, smalltalk, C ++ and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computer (for example, through the Internet using an Internet service provider).

The foregoing is merely exemplary embodiments of the present application and is not intended to limit the scope of the present application.

It will be appreciated by those skilled in the art that the term user terminal encompasses any suitable type of wireless user equipment, such as a mobile telephone, a portable data processing device, a portable web browser or a car mobile station.

In general, the various embodiments of the application may be implemented in hardware or special purpose circuits, software, logic or any combination thereof. For example, some aspects may be implemented in hardware, while other aspects may be implemented in firmware or software which may be executed by a controller, microprocessor or other computing device, although the application is not limited thereto.

Embodiments of the present application may be implemented by a data processor of a mobile device executing computer program instructions, e.g. in a processor entity, either in hardware, or in a combination of software and hardware. The computer program instructions may be assembly instructions, instruction set architecture (Instruction Set Architecture, ISA) instructions, machine-related instructions, microcode, firmware instructions, state setting data, or source or object code written in any combination of one or more programming languages.

The block diagrams of any logic flow in the figures of this application may represent program steps, or may represent interconnected logic circuits, modules, and functions, or may represent a combination of program steps and logic circuits, modules, and functions. The computer program may be stored on a memory. The Memory may be of any type suitable to the local technical environment and may be implemented using any suitable data storage technology, such as, but not limited to, read-Only Memory (ROM), random access Memory (Random Access Memory, RAM), optical Memory devices and systems (digital versatile Disk (Digital Video Disc, DVD) or Compact Disk (CD)), and the like. The computer readable medium may include a non-transitory storage medium. The data processor may be of any type suitable to the local technical environment, such as, but not limited to, general purpose computers, special purpose computers, microprocessors, digital signal processors (Digital Signal Processing, DSPs), application specific integrated circuits (Application Specific Integrated Circuit, ASICs), programmable logic devices (Field-Programmable Gate Array, FGPA), and processors based on a multi-core processor architecture.

By way of exemplary and non-limiting example, a detailed description of exemplary embodiments of the present application has been provided above. Various modifications and adaptations to the above embodiments may become apparent to those skilled in the art without departing from the scope of the present application, as considered in conjunction with the accompanying drawings and claims. Accordingly, the proper scope of the present application is to be determined according to the claims.

Claims (18)

1. A registration method, applied to an authentication service function AUSF entity, comprising:

receiving authentication information from a unified data management function, UDM, entity;

determining a route indication RID contained in the authentication information;

and sending a registration request to a key anchoring functional entity according to the RID.

2. The method of claim 1, wherein the authentication information comprises authentication credentials.

3. The method of claim 2, wherein the authentication credentials are an authentication vector AV of authentication and key agreement AKA.

4. The method of claim 1, wherein the authentication information includes RID indication information for specifying a corresponding number of digits in the mobile subscriber identification number MSIN.

5. The method of claim 4, wherein determining the RID contained in the authentication information comprises:

And taking the value of the corresponding digit in the MSIN designated by the RID indicating information as the RID.

6. The method of claim 1, wherein the authentication information comprises a home network public key identification, HNPKI.

7. The method as recited in claim 1, further comprising:

and sending an authentication request to the UDM entity, wherein the authentication request comprises a user hidden identifier SUCI or a user permanent identifier SUPI.

8. The method of claim 1, wherein sending a registration request to a key anchoring functional entity according to the RID comprises:

generating a key identifier A-KID of an application identity authentication and key management service AKMA anchoring key according to the RID;

and sending the registration request to a key anchoring functional entity according to the A-KID.

9. An authentication method, applied to a unified data management function UDM entity, comprising:

receiving an authentication request from an authentication service function AUSF entity;

and sending authentication information to the AUSF entity in response to the authentication request, wherein the authentication information comprises a routing indication RID, so that the AUSF can send a registration request to a key anchoring functional entity according to the RID.

10. The method of claim 9, wherein the authentication information comprises authentication credentials.

11. The method of claim 10, wherein the authentication credential is an authentication vector AV of authentication and key agreement AKA.

12. The method of claim 9, wherein the authentication information includes RID indication information for specifying a corresponding number of digits in the mobile subscriber identification number MSIN.

13. The method of claim 9, wherein the authentication information comprises a home network public key identification, HNPKI.

14. The method of claim 9, wherein the authentication request comprises a user hidden identity sui or a user permanent identity SUPI.

15. An apparatus, comprising:

a memory for storing computer readable instructions; and

a processor for reading the computer readable instructions, the processor implementing the following operations when executing the computer readable instructions:

receiving authentication information from a unified data management function, UDM, entity;

determining a route indication RID contained in the authentication information;

and sending a registration request to a key anchoring functional entity according to the RID.

16. An apparatus, comprising:

a memory for storing computer readable instructions; and

a processor for reading the computer readable instructions, the processor implementing the following operations when executing the computer readable instructions:

receiving an authentication request from an authentication service function AUSF entity;

and sending authentication information to the AUSF entity in response to the authentication request, wherein the authentication information comprises a routing indication RID, so that the AUSF can send a registration request to a key anchoring functional entity according to the RID.

17. A computer readable storage medium having stored thereon a computer program which when executed by a processor performs the operations of:

receiving authentication information from a unified data management function, UDM, entity;

determining a route indication RID contained in the authentication information;

and sending a registration request to a key anchoring functional entity according to the RID.

18. A computer readable storage medium having stored thereon a computer program which when executed by a processor performs the operations of:

receiving an authentication request from an authentication service function AUSF entity;

and sending authentication information to the AUSF entity in response to the authentication request, wherein the authentication information comprises a routing indication RID, so that the AUSF can send a registration request to a key anchoring functional entity according to the RID.